[3 The Attacks Of 26 11 2 English Subtitles Watch Online
Melvin Amey
Do you use Kodi, Popcorn Time, VLC or Stremio? Do you use subtitles while you watch? If so, then you need to update the platform as Check Point researchers revealed that not all subtitles are benign text files and hackers can remotely take control of any device running vulnerable software via malicious subtitles.
After an attacker manipulates subtitle rankings, a subtitle with malicious code would have the highest rank and automatically be downloaded without any user interaction required or even a man-in-the-middle attack.
In different attack scenarios, instead of a video player or streamer automatically downloading the malicious subtitle file, a user can be tricked to visit a site using one of the vulnerable players or opting to download a tainted subtitle file to use with a video.
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
They found a way to insert malicious code into subtitle files used by popular media players, including VLC, Kodi, Popcorn Time and Stremio. As soon as the player parses those evil files before displaying the actual subtitles on the screen, the attacker is granted control of the computers and TVs on which they ran, Check Point said. And, as such subtitles are typically downloaded automatically from online repositories that can be gamed, hackers can easily force media players to download their malicious subtitles rather than legitimate ones, the researchers discovered.
They were able to test their attacks on a variety of Windows PCs, right up to Windows 10. While they didn't run their hacks on a real life smart TV, or on mobile platforms like Apple's iOS and Google's Android, they believe they pose a threat to any operating system. Thanks to the popularity of the media players, many millions could be affected.
The video below shows what's possible on a Windows PC, where the hidden malicious code runs once the movie Frozen is played inside Popcorn Time. The hackers then move on to the other platforms. On the right hand side of the screen is the attacker's computer, running the hacker operating system, Kali Linux.
It should perhaps be no surprise hackers can exploit media players. In March, Wikileaks files published documents detailing Central Intelligence Agency (CIA) tools that targeted both Samsung smart TVs and players including VLC. At the time, VLC said there was no indication the hacks of its software were remotely exploitable and the CIA appeared to use a non-official, modified version of its video player.
As for how an attack would go down, Yaniv Balmas, malware research team leader at Check Point, explained his team was able to find a novel way to force the media players to run malicious subtitle files. Each media player, he said, used public repositories of subtitle files, such as OpenSubtitles.org, which Popcorn Time confirmed it was using. The players will typically download and run the most popular file for the chosen movie. That meant Balmas' team could game the OpenSubtitles.org system to ensure its malicious files would be ranked top and therefore run ahead of others.
With just two minutes of effort, the researchers were able to get their OpenSubtitles.org profiles labelled as trusted Gold Members and with tweaks to file names, they could force their subtitles up to the number one ranking for whatever films they chose (though without doing anything actually criminal). OpenSubtitles.org hadn't responded to a request for comment at the time of publication.
That was all possible in the first place due to the open nature of such repositories, said Balmas. "Anyone is allowed to access these, you just need a username and you're free to go," he told Forbes. "These media players, you don't know where they're connecting to, they're doing it automatically.
He said there were different vulnerabilities in each media player, but they would not be fully disclosed until all vendors had released patches and they were widely deployed. The weaknesses were likely a result of the complexities of each subtitle file parser, and the same vulnerabilities would likely be present across any platform using similar methods for subtitles, Balmas added.
A Stremio spokesperson said the flaws were fixed shortly after Check Point's disclosure, adding that both available versions of the app - 3.6.7. and 4.0 (beta) - have been patched. Users should receive an automatic update, but they can head to the company's site to get version 4.0 manually. Kodi developer, Martijn Kaijser, said users could get a fixed version online via this link, while the official v17.2 release would arrive later this week. Popcorn Time said a patch had been released and was available at this link. And VLC added that major issues were addressed in VLC 2.2.5 that's been out for two weeks, with more fixes coming later this week.
As always, the advice to user is simple: get the updates and patch up. But it might be wise for media players to look at how they handle subtitles too. In particular, Balmas said that if just one standardized program for managing subtitles was used across each media player, it'd likely reduce the complexity and therefore the number of bugs. "That'll be the real fix," he added.
Who needs Netflix when you have a library card? We have thousands of streaming feature films for when you need a break from studying. You can browse our two main feature film collections or search our catalogue by title. Get your popcorn ready!
Search for streaming videos by title or keyword using our Books and Media search. You can narrow your search by format, or just look for the Streaming Video icon to find online videos you can watch from home.
795a8134c1